How to configure iptables to realize local port forwarding

This article mainly introduces the configuration iptables Method for realizing local port forwarding , stay Linux Server operation and maintenance process is very common , Friends in need can refer to
scene
If you're using resin Debug one Web Program , Need to restart frequently resin. This Web The program needs to be on 80 On port , and Linux Limit 1024 The following ports must have root Permission to open . But you don't want to always turn on one when adjusting the program root terminal . under these circumstances , You can take resin On default 8080 On port , And then use iptables To realize and really open the service in 80 The same effect on the port .
Method
Will work with 80 Port of TCP Connect to local 8080 On port . Use DNAT (Destination Network Address Translation) Technology can meet this requirement . because iptables The method of dealing with local connection and remote connection is different , So it needs to be dealt with separately . Let's assume that IP yes 192.168.4.177.
Remote connection
Remote connection refers to the connection of another machine to this machine . The packets of this connection are in iptables Will go through first PREROUTING chain , So just in PREROUTING Chain work DNAT.

The code is as follows :

  
 
 

   
  
  
# iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.4.177 --dport 80 -j DNAT --to 192.168.4.177:8080
  
 
 

Local connection
Local connection refers to the local connection , use 127.0.0.1 Or this machine IP To access the port of this machine . Locally connected packets will not pass through the network card , Instead, it is processed by the kernel and sent directly to the local process . This kind of packet is in iptables Only through OUTPUT chain , Instead of going through PREROUTING chain . So you need to be in OUTPUT In the chain DNAT. Except yes 127.0.0.1 outside , For this machine IP ( namely 192.168.4.177) Access to is also a local connection .

The code is as follows :

  
 
 

   
  
  
# iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j DNAT --to 127.0.0.1:8080
   
  
  
# iptables -t nat -A OUTPUT -p tcp -d 192.168.4.177 --dport 80 -j DNAT --to 127.0.0.1:8080
  
 
 

matters needing attention
You may need to open... With the following command IP forward ：

The code is as follows :

  
 
 

   
  
  
# echo 1 > /proc/sys/net/ipv4/ip_forward
  
 
 

During the test , If you want to reset iptables, You need to empty... First nat surface ：

The code is as follows :

  
 
 

   
  
  
# iptables -F -t nat
  
 
 

Example operation
Here will be the local interface IP 61.144.a.b Of 3389 port Forwarding to 116.6.c.d Of 3389      （ Mainly visit 61.144.a.b Of 3389 port , It will jump to 116.6.c.d Of 3389）
1、 The first thing to do is /etc/sysctl.conf Profile's net.ipv4.ip_forward = 1 The default is 0    This allows iptalbes FORWARD.
2、 service iptables stop   Turn off firewall
3、 Reconfigure rules

The code is as follows :

  
 
 

   
  
  
iptables -t nat -A PREROUTING --dst 61.144.a.b -p tcp --dport 3389 -j DNAT --to-destination 116.
   
  
  
6.c.d:3389
   
  
  
iptables -t nat -A POSTROUTING --dst 116.6.c.d -p tcp --dport 3389 -j SNAT --to-source 61.144.a.b
   
  
  
service iptables save
  
 
 

Save the current rule to /etc/sysconfig/iptables
         If you are familiar with this file, directly modifying the content here is also equivalent to command-line input rules .
5、 start-up iptables service , service iptables start

Can be written into a script , The equipment starts automatic operation ;
The code is as follows :

  
 
 

   
  
  
# vi /etc/rc.local 
   
  
  
#!/bin/sh
   
  
  
#
   
  
  
# This script will be executed *after* all the other init scripts.
   
  
  
# You can put your own initialization stuff in here if you don't
   
  
  
# want to do the full Sys V style init stuff.</p> <p>touch /var/lock/subsys/local</p> <p>sh /root/myshipin.log
   
  
  
---------------------------------------------------------------------
   
  
  
vi myshipin.log 
   
  
  
#!/bin/sh
   
  
  
#
   
  
  
# This script will be executed *after* all the other init scripts.
   
  
  
# You can put your own initialization stuff in here if you don't
   
  
  
# want to do the full Sys V style init stuff.</p> <p>iptables -F -t nat
   
  
  
iptables -t nat -A PREROUTING --dst 61.144.a.b -p tcp --dport 3389 -j DNAT --to-destination 116.6.c.d:3389
   
  
  
iptables -t nat -A POSTROUTING --dst 116.6.a.b -p tcp --dport 3389 -j SNAT --to-source 61.144.c.d
   
  
  
~
   
  
  
----------------------------------------------------------------
   
  
  
TCP</p> <p>iptables -t nat -A PREROUTING --dst 61.144.a.b -p tcp --dport 9304 -j DNAT --to-destination 10.94.a.b:9304
   
  
  
iptables -t nat -A POSTROUTING --dst 10.94.a.b -p tcp --dport 9304 -j SNAT --to-source 61.144.a.b</p> <p>UDP
   
  
  
iptables -t nat -A PREROUTING --dst 61.144.a.b -p udp --dport 9305 -j DNAT --to-destination 10.94.a.b:9305
   
  
  
iptables -t nat -A POSTROUTING --dst 10.94.a.b -p udp --dport 9305 -j SNAT --to-source 61.144.a.b
  
 
 

another ：iptables The location of the configuration file ：/etc/sysconfig/iptables If the Internet address changes, just modify it in the configuration file .